Active-Directory

Quick Reference Technique Tool Requires Creds AD port scan nmap No DNS SRV enumeration dig / nslookup No LDAP anonymous bind ldapsearch No Full LDAP dump ldapdomaindump No / Yes SMB/User enumeration enum4linux-ng No / Yes AD enumeration swiss-knife NetExec (nxc) No / Yes Attack path mapping bloodhound-python Yes Kerberos user enum Kerbrute No User / SID enumeration lookupsid.py, GetADUsers.py No / Yes RPC enumeration rpcclient No / Yes LDAP attribute queries windapsearch Yes Share content discovery nxc spider_plus Yes adminCount / SPN / UAC flags ldapsearch Yes Environment Setup Before attacking an AD environment from Kali, configure your local resolver and Kerberos client so tools resolve domain names correctly. ...

Delegation Attacks — From Windows Kerberos delegation allows services to impersonate users when accessing downstream resources on their behalf. Misconfigured delegation is one of the most reliable paths to domain compromise from a low-privilege Windows foothold. This guide covers all four major delegation attack classes — Unconstrained, Constrained (KCD), Resource-Based Constrained Delegation (RBCD), and Shadow Credentials — with full PowerShell and command-line tradecraft. Quick Reference Table Attack Primary Tool Required Privilege Unconstrained Delegation Rubeus monitor + coercion Local Admin on delegating host Constrained Delegation Rubeus s4u Service account creds or hash RBCD PowerMad + PowerView + Rubeus GenericWrite or WriteDACL on target computer object Shadow Credentials Whisker + Rubeus WriteProperty on msDS-KeyCredentialLink 1. Delegation Concepts 1.1 Why Delegation Exists Kerberos delegation was introduced to solve the “double-hop” problem: when a front-end web service needs to authenticate to a back-end SQL server using the identity of the connecting user, it needs the ability to forward or impersonate that user’s credentials downstream. Three delegation mechanisms exist in Active Directory, each with different security boundaries and abuse surfaces. ...

Quick Reference Attack Requirement Tool Cross-domain Kerberoast Valid domain user in child Rubeus Parent-Child escalation krbtgt hash of child Mimikatz / Rubeus Diamond Ticket cross-domain krbtgt AES256 + DA creds Rubeus One-way inbound abuse DCSync TDO object Mimikatz One-way outbound abuse DCSync TDO GUID Mimikatz Cross-forest Kerberoast Trust configured Rubeus Trust Concepts Trust Types Type Value Description DOWNLEVEL 1 Windows NT 4.0-style trust UPLEVEL 2 Active Directory (Kerberos-based) trust MIT 3 Non-Windows Kerberos realm DCE 4 Theoretical, not used in practice Parent-Child Trust — A two-way, transitive trust automatically created when a new domain is added to an existing tree. The child domain and parent domain mutually authenticate via Kerberos. ...

Quick Reference Table Technique Tool Requirement Stealth Level Golden Ticket Mimikatz / Rubeus krbtgt hash + DOMAIN_SID Medium Silver Ticket Mimikatz / Rubeus Service account hash High Diamond Ticket Rubeus krbtgt AES256 + DA creds High DCSync rights backdoor PowerView Domain Admin Low AdminSDHolder abuse PowerView Domain Admin Low DPAPI Backup Key SharpDPAPI Domain Admin High Skeleton Key Mimikatz Domain Admin (LSASS access) Low WMI Event Subscription PowerShell Local Admin Medium SID History Mimikatz Domain Admin Medium DCSync What it is: Abuse of the Directory Replication Service (DRS) protocol to impersonate a domain controller and request password data for any account directly from a legitimate DC. No file on disk needs to be touched — the DC simply hands over the hashes on request, because that is exactly what the DRS protocol is designed to do between DCs. ...

Quick Reference Table ESC Vulnerability Tool Requirement ESC1 SAN in template certipy req Enroll permission on template ESC2 Any Purpose EKU certipy req Enroll permission ESC3 Enrollment Agent certipy req Agent cert + second request ESC4 Template write access certipy template GenericWrite on template ESC6 EDITF_ATTRIBUTESUBJECTALTNAME2 on CA certipy req Any enroll permission ESC7 CA Manage Officer certipy ca Manage CA / Manage Certificates ESC8 NTLM relay to /certsrv/ certipy relay PetitPotam/coercion ESC9 No szOID_NTDS_CA_SECURITY_EXT certipy UPN mapping abuse ESC11 Relay to ICPR certipy relay -ca-pfx NTLM relay AD CS Fundamentals Active Directory Certificate Services (AD CS) is Microsoft’s PKI (Public Key Infrastructure) implementation. It issues X.509 certificates used for authentication, encryption, and signing within a Windows domain. ...

Quick Reference ESC Vulnerability Tool Requirement ESC1 SAN in template Certify + Rubeus Enroll on template ESC2 Any Purpose EKU Certify + Rubeus Enroll on template ESC3 Enrollment Agent Certify x2 + Rubeus Agent cert + 2nd enroll ESC4 Template write access PowerView + Certify GenericWrite on template ESC6 EDITF_ATTRIBUTESUBJECTALTNAME2 Certify + Rubeus Any enroll ESC7 CA Officer / Manage Certify ca ManageCA or ManageCertificates ESC8 NTLM relay to certsrv ntlmrelayx (from Kali) Coercion + web enrollment AD CS Fundamentals Active Directory Certificate Services (AD CS) is Microsoft’s PKI implementation, used to issue digital certificates for authentication, encryption, and code signing within a Windows domain. It is high-value from an attacker’s perspective because: ...